mysql password()

jaytux

hi have an MySql database that i use for a basic user login i use 'password($password)' to insert and check logins, what i would like to know is it possiable to retrieve the password in a not encoded format so i can email to users who have forgotten.
I know this may be a security issue but im not running a bank here! Thanks again

hermand

Not quite sure what you're doing, but I usually 'encrypt' passwords with MD5, then instead of giving them their password they get a new one e-mailed to them.

hermand

What does that password($password); actually do?

jaytux

I mean i use some sql like the line bellow.....

$sql = "SELECT * from companyusers where username = \"$user\" and password = password(\"$pass\") LIMIT 1";

is this any help to you??
maybe a will have to rethink the login process?

hermand

Whats the deal with the password in brackets? Sorry, I'm probably being tarded, but why not just

$sql = "SELECT * from companyusers where username = '$user' and password = '$pass' LIMIT 1";

jaytux

when inserting values to the database when password($password) is used the supplied variable $password is in some way encoded/encrypted before is inserted to the database, and when used to select a row it feeds the sql serv the encoded/encrypted password for verification.

Does that help any??

Im not a php/sql/security savant as you may have guessed, Sorry ;-)

hermand

Alright, i've never used that 😃

Hmm, it may be a one way proccess, perhaps do the thing where if they lose their pass it resets with a random one and e-mails them. They can then change it at their leisure?

jaytux

maybe think i will have to do that, because i cant find anybody who knows about it,

Thanks for trying anyway!

jabi

You said that the $password is somehow being encrypted. Have you tried renaming your variable to something else like $user_pass or $pass_word? If it is still being encrypted, try changing the field name in your database table. Please let me know if this helps.

hermand

Its supposed to encrupted, isn't it?

jabi

Sorry, jaytux, missed your function call in the first reading.

The password() is used to encrypt passwords in the MySql user grant table. Here's the reference:

PASSWORD(str)
Calculates a password string from the plaintext password str. This is the function that is used for encrypting MySQL passwords for storage in the Password column of the user grant table:
mysql> select PASSWORD('badpwd');
-> '7f84554057dd964b'
PASSWORD() encryption is non-reversible. PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. You should not assume that if your Unix password and your MySQL password are the same, PASSWORD() will result in the same encrypted value as is stored in the Unix password file. See ENCRYPT().

If you are simply creating a table in your own database for your users, then don't use the PASSWORD() function.

jaytux

i see. thanks anyway
will have to set the password to something random then allow user to change there password!

Jay.